CVE-2022-41721 – golang.org/x/net

Package

Manager: go
Name: golang.org/x/net
Vulnerable Version: >=0.0.0-20220524220425-1d687d428aca <0.1.1-0.20221104162952-702349b0e862

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00074 pctl0.22992

Details

golang.org/x/net/http2/h2c vulnerable to request smuggling attack A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests. ### Specific Go Packages Affected golang.org/x/net/http2/h2c

Metadata

Created: 2023-01-14T00:30:23Z
Modified: 2025-04-04T19:26:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json
CWE IDs: ["CWE-444"]
Alternative ID: GHSA-fxg5-wq6x-vr4w
Finding: F110
Auto approve: 1